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BACKGROUND 

Field of the Invention 

[0002] The present invention relates to cryptographic keys. More 
5 specifically, the present invention relates to a method and an apparatus for 
establishing a cryptographic key using an identity based symmetric keying 
technique. 

Related Art 

1° [0003] Users of modern networked computing and communication 

systems routinely use cryptographic techniques when communicating with other 
systems to prevent disclosure of the contents of the communications and to 
authenticate the source of the communications. In general, these cryptographic 
techniques and algorithms are well known and are easily implemented. One of 

1 5 the hardest problems in using these cryptographic techniques is to establish a 
shared key to encrypt communications between nodes. 

[0004] Conventional cryptographic mechanisms for key establishment 
either lack the required flexibility or are too expensive to use in wireless, 
resource-limited ad-hoc networks. Expensive, in this context, means that these 

20 key establishment mechanism require excessive electrical energy, excessive time, 
excessive computing power, excessive bandwidth, or a combination of these along 
with other factors. Many ad-hoc networks facilitate wireless communications 
among participating fixed and mobile units without relying on existing 
infrastructure, such as the towers and landlines that make up the current cellular 

25 telephone systems or on satellites and ground stations. 

[0005] Existing key establishment techniques rely either on public key 
cryptography or on symmetric key cryptography combined with special trusted 
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devices called key distribution centers (KDCs) or key translation centers (KTCs). 
The problem with public key based techniques is that they are expensive; 
requiring excessive energy, time, and computing power. The problem with 
symmetric key based techniques is that, while they are relatively efficient, they 
5 lack flexibility. For example, key distribution schemes such as Kerberos (Miller, 
Neuman, Schiller & Saltzer, "Kerberos Authentication and Authorization 
System", Project Athena Technical Plan, 1987) and Otway-Rees (Otway and 
Rees, "Efficient and Timely Mutual Authentication", Operating Systems Review, 
21 (1987) 8-10) protocols require that their databases be updated whenever an 

10 unfamiliar unit participates in a key establishment session with any KDC. These 
databases contain the keys that the KDC shares with other nodes. This 
inflexibility can be addressed by updating the database of the KDC; however, 
since the KDC can itself be a wireless node, and perhaps a mobile node, this 
update is expensive both in terms of energy and bandwidth. 

15 [0006] What is needed is a method and an apparatus that provides for 

establishing shared cryptographic keys between participating nodes without the 
difficulties listed above. 



SUMMARY 

20 [0007] One embodiment of the present invention provides a system for 

establishing a shared cryptographic key between participating nodes in a network. 
The system operates by sending a first message from the first node to the second 
node requesting establishment of a shared key. The second node sends a second 
message containing identifiers and a message authentication code to a key 

25 distribution center (KDC). The authentication code is generated using a second 
node key belonging to the second node. The KDC recreates the previously 
created second node key using the second node's identifier and a secret key 
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known only to the key distribution center. The KDC then verifies the message 
authentication code using the second node key. If the message authentication 
code is verified, the KDC creates a shared key for the nodes to use while 
communicating with each other. The KDC securely communicates this shared 
5 key to the participating nodes. 

[0008] In one embodiment of the present invention, the KDC encrypts a 
hash value and the shared key using the second node's key to create a first 
encrypted key. The KDC also recreates the previously created first node key 
using its secret key and the identifier of the first node. The KDC encrypts the 

1 0 hash value and the shared key using the first node's key. The KDC sends both of 
these encrypted values to the second node in a third message. The second node 
decrypts the values in the message to recover the hash value and the shared key. 
The second node verifies the hash value and uses the hash value to verify that the 
message came from the KDC. When the hash value has been verified, the second 

15 node sends a fourth message to the first node that includes the encrypted hash 
value and shared key that has been encrypted with the first node's key. The first 
node decrypts the encrypted values to recover the hash value and the shared key. 
Next, the first node verifies the hash value to ensure that the key was created by 
the KDC and uses the shared key to establish that the second node has the shared 

20 key. After the hash value has been verified and it has been established that the 
second node has the shared key, the first node sends a fifth message to the second 
node using the shared key so that the second node can confirm that the shared key 
has been established. The second node then verifies that the first node has the 
shared key. 

25 [0009] In one embodiment of the present invention, the first message 

includes the first node's identifier, the second node's identifier, the KDC's 
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identifier, and a nonce. A nonce is a random number selected for message 
confirmation purposes that has a statistically low probability of being reused. 

[0010] In one embodiment of the present invention, the second message 
includes the KDC's identifier, the second node's identifier, the first node's 
identifier, a nonce created by the second node, the first node's nonce, and a 
message authentication code. The message authentication code is created from 
the KDC's identifier, the second node's identifier, the first node's identifier, the 
second node's nonce, and the first node's nonce. The message authentication 
code is created using the second node's key. 

[0011] In one embodiment of the present invention, the KDC verifies the 
message authentication code by creating a test message authentication code from 
the KDC's identifier, the second node's identifier, the first node's identifier, the 
second node's nonce, and the first node's nonce using the second node's key. The 
KDC compares the test message authentication code with the message 
authentication code. 

[0012] In one embodiment of the present invention, the KDC creates the 
hash value from the second node's identifier, the first node's identifier, the second 
node's nonce, and the first node's nonce. 

[0013] In one embodiment of the present invention, the third message 
includes the second node's identifier, the first node's identifier, the values 
encrypted with the second node's key, and the values encrypted with the first 
node's key. 

[0014] In one embodiment of the present invention, the second node 
validates the hash value by decrypting the values encrypted with the second 
node's key. The second node then creates a test hash value from the second 
node's identifier, the first node's identifier, the second node's nonce, and the first 
node's nonce. The second node compares the test hash value with the hash value. 
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[0015] In one embodiment of the present invention, the fourth message 
includes the first node's identifier, the second node's identifier, the second node's 
nonce, the values encrypted by the KDC using the first node's key, and a 
confirmation value that has been encrypted with the shared key. 

5 [0016] In one embodiment of the present invention, the first confirmation 

value includes the second node's nonce and the first node's nonce. 

[0017] In one embodiment of the present invention, the first node verifies 
the hash value by creating a test hash value from the second node's identifier, the 
first node's identifier, the second node's nonce, and the first node's nonce. The 

10 test hash value is compared with the received hash value. 

[0018] In one embodiment of the present invention, the first node 
establishes that the second node has the cryptographic key by decrypting the first 
node's confirmation value using the cryptographic key. The first node then 
verifies that the first node's nonce is what was sent in the first message. 

1 5 [0019] In one embodiment of the present invention, the fifth message 

includes the second node's identifier, the first node's identifier, and a 
confirmation value created by the first node. 

[0020] In one embodiment of the present invention, the first node creates 
the confirmation value by reordering the first node's nonce and the second node's 

20 nonce recovered by decrypting the received confirmation value. This 
confirmation value is encrypted node's using the cryptographic key. 

[0021] In one embodiment of the present invention, the second node 
confirms that the cryptographic key has been established by decrypting the 
confirmation value received from the first node using the cryptographic key. The 

25 second node then verifies that the second node's nonce was received in the 
confirmation value. 
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[0022] In one embodiment of the present invention, the second node's key 
is created using the KDC's secret key and the second node's identifier. The 
second node's key is installed into the second node prior to deployment of the 
second node. 

5 [0023] In one embodiment of the present invention, the first node's key is 

created using the KDC's secret key and the first node's identifier. The first node's 
key is installed into the first node prior to deployment of the first node. 

BRIEF DESCRIPTION OF THE FIGURES 
10 [0024] FIG. 1 illustrates computing nodes coupled to key distribution 

center 100 in accordance with an embodiment of the present invention. 

[0025] FIG. 2 illustrates key distribution center 100 in accordance with an 
embodiment of the present invention. 

[0026] FIG. 3 illustrates computing node 1 10 in accordance with an 
1 5 embodiment of the present invention. 

[0027] FIG. 4 illustrates computing node 120 in accordance with an 
embodiment of the present invention. 

[0028] FIG. 5 is an activity diagram illustrating message flow related to 
time in accordance with an embodiment of the present invention. 
20 [0029] FIG. 6 is a flowchart illustrating establishing a shared 

cryptographic key in accordance with an embodiment of the present invention. 

DETAILED DESCRIPTION 
[0030] The following description is presented to enable any person skilled 
25 in the art to make and use the invention, and is provided in the context of a parti- 
cular application and its requirements. Various modifications to the disclosed 
embodiments will be readily apparent to those skilled in the art, and the general 
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principles defined herein may be applied to other embodiments and applications 
without departing from the spirit and scope of the present invention. Thus, the 
present invention is not intended to be limited to the embodiments shown, but is 
to be accorded the widest scope consistent with the principles and features 

5 disclosed herein. 

[0031] The data structures and code described in this detailed description 
are typically stored on a computer readable storage medium, which may be any 
device or medium that can store code and/or data for use by a computer system. 
This includes, but is not limited to, magnetic and optical storage devices such as 

10 disk drives, magnetic tape, CDs (compact discs) and DVDs (digital versatile discs 
or digital video discs), and computer instruction signals embodied in a 
transmission medium (with or without a carrier wave upon which the signals are 
modulated). For example, the transmission medium may include a 
communications network, such as the Internet. 

15 

Computing Nodes 

[0032] FIG. 1 illustrates computing nodes coupled to key distribution 
center 1 00 in accordance with an embodiment of the present invention. 
Computing nodes 1 10 and 120 are coupled to key distribution center 100 across 

20 network 130. 

[0033] Key distribution center 100 and computing nodes 1 10 and 120 can 
generally include any type of computer system, including, but not limited to, a 
computer system based on a microprocessor, a mainframe computer, a digital 
signal processor, a portable computing device, a personal organizer, a device 

25 controller, and a computational engine within an appliance. Key distribution 
center 100 and computing nodes 110 and 120 can include mobile secure 
communication devices, which have embedded computer processors. A 

8 

Attorney Docket No. NA0 1-00101 Inventor: Matt 

EJG E \NETWORKS ASSOCIATES TECHNOLOGY\NA0I-00l0I\NA0I-00I01 APPLICATION DOC 



practitioner with ordinary skill in the art will readily recognize that, while 
establishing a shared cryptographic key involves only one key distribution center 
and two nodes, the system can include more than one key distribution center and 
more than two nodes. 
5 [0034] Network 130 can generally include any type of wire or wireless 

communication channel capable of coupling together computing nodes. This 
includes, but is not limited to, a local area network, a wide area network, or a 
combination of networks. In one embodiment of the present invention, network 
130 includes a wireless communication network. 

10 

Key Distribution Center 

[0035] FIG. 2 illustrates key distribution center 100 in accordance with an 
embodiment of the present invention. Key distribution center 100 includes 
sending mechanism 202, receiving mechanism 204, secret key 206, key recreator 
15 208, key generator 210, message verifier 212, hash code generator 214, and 
encryptor 216. 

[0036] Sending mechanism 202 provides the capability of sending 
messages from key distribution center 100 to other nodes, for example nodes 110 
and 120. Receiving mechanism 204 provides the capability of receiving messages 

20 at key distribution center 100 from other nodes, for example nodes 110 and 120. 

[0037] Secret key 206 is typically known only to key distribution center 
100 but, with reduced security, may be shared by other KDCs and may be known 
by a central storage facility. Note that key distribution center 100 does not have a 
database of shared keys for each node in the system. Each node in the system has 

25 a private key, which was generated using secret key 206 and the identity of the 
individual node. Key recreator 208 recreates these keys using the identity of any 
node that is in communication with key distribution center 100. 
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[0038] Key generator 210 generates cryptographic keys to be shared 
between nodes such as node 110 and node 120 that desire to communicate. Key 
generator 210 can use any well-known technique for generating the shared key, 
optionally using inputs provided by the node (e.g. the nonces). 

5 [0039] Message verifier 212 verifies the authenticity of messages received 

by comparing unique values within the message with values that should be in the 
message. The operation of message verifier 212 is explained below in 
conjunction with FIG. 6. 

[0040] Hash code generator 214 can use any available hash algorithm to 

1 0 create a hash code of the values presented to hash code generator 2 14, An 
example of a hash algorithm is secure hash algorithm one (SHA-1). 

[0041] Encryptor 216 performs encryption using any available symmetric 
key algorithm. Well-known examples of symmetric key encryption algorithms are 
Data Encryption Standard (DES), triple DES 5 and Advanced Encryption Standard 

15 (AES). 



Computing Node 110 

[0042] FIG. 3 illustrates computing node 1 10 in accordance with an 
embodiment of the present invention. Node 110 includes sending mechanism 
20 302, receiving mechanism 304, node key 306, MAC generator 308, encryptor 310, 
decryptor 312, nonce generator 3 14, hash validator 316, and key establishment 
verifier 318. 

[0043] Sending mechanism 302 provides the capability of sending 
messages from node 1 10 to other nodes, for example node 120 and to key 
25 distribution center 100. Receiving mechanism 304 provides the capability of 

receiving messages at node 110 from other nodes, for example node 120 and from 
key distribution center 100. 
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[0044] Node key 306 is generated using secret key 206 belonging to key 
distribution center 100 and the identity of node 110. Node key 306 is specific to 
node 1 10, but can be regenerated by key distribution center 100 from the identity 
of node 1 1 0 by using secret key 206. One way of generating node key 306 is to 

5 encrypt the identity of node 1 10 using secret key 206. Node key 306 is loaded 
into node 1 10 prior to deployment of node 110. 

[0045] MAC generator 308 can generate message authentication codes for 
messages being sent from node 110. Typically, a message authentication code is 
created using a cryptographic process, which encrypts part of the message being 

1 0 sent using a block-chaining method and uses the output of the final round of 
chaining as the message authentication code. 

[0046] Encryptor 310 performs encryption using any available symmetric 
key algorithm. Well-known examples of symmetric key encryption algorithms are 
Data Encryption Standard (DES) ? triple DES, and Advanced Encryption Standard 

1 5 (AES). Decryptor 312 performs decryption using the same algorithm as encryptor 
216. Note that encryptor 310 and decryptor 312 also use the same algorithm as 
encryptor 216 in key distribution center 100. 

[0047] Nonce generator 314 generates random values called nonces, which 
can be used to validate that a message received by node 1 10 is in response to a 

20 message sent from node 1 1 0. A nonce has a statistically low probability of being 
reused. 

[0048] Hash validator 316 validates the hash code in a message received 
from key distribution center 100. Hash validator 316 uses the same hash 
algorithm as hash code generator 214. In operation, hash validator 316 generates 
25 a test hash code using the same input values that were used by hash code 

generator 214. The test hash value is compared with the received hash value. The 
hash code is valid if both values are the same. 
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[0049] Establishment verifier 318 verifies that a second node, say node 
120, has the shared key being established. This verification is described in detail 
in conjunction with FIG. 6. 



5 Computing Node 120 

[0050] FIG. 4 illustrates computing node 120 in accordance with an 
embodiment of the present invention. Node 120 includes sending mechanism 
402, receiving mechanism 404, node key 406, MAC generator 408, encryptor 410, 
decryptor 412, nonce generator 414, hash validator 416, and key establishment 
1 0 verifier 418. Node 120 is symmetric with node 110, and any other node in the 
system. Details of the components within node 120 are as described for node 110 
in conjunction with FIG. 3 above. Both nodes have been described to allow 
reference to both nodes in conjunction with the descriptions of FIGs. 5 and 6. 



15 Activity Diagram 

[0051] FIG. 5 is an activity diagram illustrating message flow related to 
time in accordance with an embodiment of the present invention. Note that since 
node 110 and node 120 are symmetric, either node can take on either role as 
described below. In FIG. 5, the flow of time is from the top of the activity 

20 diagram to the bottom of the activity diagram. The system starts when node 120 
sends message 502 to node 1 10 requesting a shared key for communications. The 
contents of all messages described in conjunction with FIG. 5 are presented in the 
detailed discussion of FIG. 6. 

[0052] Node 110 subsequently receives message 502 and generates an 

25 authenticated request for a shared key. The authenticated request is sent to key 
distribution center 100 in message 504. When key distribution center 100 
receives message 504, key distribution center 100 validates the authenticated 
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request. If the request is valid, key distribution center 100 creates a shared key for 
nodes 110 and 120. The shared key, along with validation data, is encrypted using 
the node key of both node 1 10 and node 120. Both of these encrypted values are 
sent to node 1 10 in message 506. 
5 [0053] Upon receipt of message 506, node 1 10 decrypts the copy of the 

key encrypted with its node key, and then checks the validation received with the 
shared key. If the key is valid, node 110 generates proof that it has the shared key. 
The proof that it has the shared key is sent, along with the copy of the key 
encrypted using the node key for node 120, to node 120 in message 508. 

10 [0054] When node 120 receives message 508, node 120 decrypts the 

shared key and checks the validation received with the shared key. If the shared 
key is valid, node 120 verifies the proof that node 1 10 has the shared key. After 
verifying the proof that node 110 has the shared key, node 120 generates proof 
that node 120 has the shared key. Node 120 sends this proof to node 1 10 in 

15 message 510. 

[0055] When node 110 receives message 510, node 110 verifies the proof 
that node 120 has the shared key. When the proof is verified, secure 
communications between nodes 110 and 120 can commence. 

20 Establishing the Shared Cryptographic Key 

[0056] FIG. 6 is a flowchart illustrating establishing a shared 
cryptographic key in accordance with an embodiment of the present invention. 
The system starts when sending mechanism 402 in node 120 sends message 502 
to node 110 requesting that a shared key be established (step 602). Message 502 
25 includes: 

ID A |iID B ||KDCj II N b 
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where ID A is the identifier of node 120, IDs is the identifier of node 110, KDCj is 
the identifier of key distribution center 100, Nb is a nonce generated by node 120, 
and || indicates concatenation. 

[0057] When receiving mechanism 304 at node 120 receives message 502, 
5 node 120 generates an authenticated request for a shared key (step 604). The 
authenticated request includes: 

KDCj |i ID A || ID B |i N A || N B || M(Kaj ? KDCj || ID a j| ID B || N A j| N B ) 
where N A is a nonce generated by node 110, Kaj is node key 306 and M(K AJ , 
KDCj II ID A || ID B II N A || Nb) is a message authentication code generated by MAC 
10 generator 308 using Kaj and KDCj || ID A || ID B || N A || Nb- Sending mechanism 
302 in node 110 sends the authenticated request to key distribution center 100 in 
message 504 (step 606). 

[0058] After receiving mechanism 204 receives message 504, message 
verifier 212 validates the request (step 608). The request is validated by first 
15 recreating node key 306 within key recreator 208 using secret key 206 and ID A . 
Message verifier 212 validates the request by recreating M(Kaj, KDCj 1] ID A |j ID B 
|| N A || Nb) and comparing the recreated version with the version received in 
message 504. If both versions match, the request is valid. 

[0059] Next, key generator 210 generates shared cryptographic key Kab 
20 for use between node 110 and node 120 (step 610). Key recreator 208 recreates 
node key 406 belonging to node 120 by using secret key 206 and ID B . Hash code 
generator 214 generates H(ID A || ID B H N A || N B ). Encryptor 216 creates encrypted 
values ECKaj, H(ID a || ID B || N A || N b ) || Kab) and E(K BJ , H(ID A || ID B || N A || N B ) || 
Kab)? where K B j is node key 406 (step 612). 
25 [0060] Sending mechanism 202 then sends message 506 to node 110 (step 

614). Message 506 includes: 
IDa II IDb li 

14 

Attorney Docket No. NA0 1-00101 Inventor: Matt 

EJG E-\NETWORKS ASSOCIATES TECHNOLOG Y\NA0 1-00101 \NA0 1-00101 APPLICATION. DOC 



E(Kaj ; H(ID a II ID B II N A || N B ) II Kab) || 
E(K BJ , H(ID A || ID B II N A II N B ) || Kab). 

[0061] When receiving mechanism 304 receives message 506, decryptor 
312 decrypts E(Kaj, H(ID a || ID b || N a || N b ) || Kab) using Kaj thereby recovering 
5 H(ID A || ID B II N A || N B ) || Kab (step 616). Hash validator 316 then validates H(ID A 
|| IDb I) N A || N B ). Establishment verifier 3 1 8 then creates encrypted value E(Kab, 
N A || N B ) as proof that node 1 10 has Kab (step 618). 

[0062] Next, sending mechanism 302 sends message 508 to node 120 
(step 620). Message 508 includes: 
10 IDb||IDa||N a || 

E(K B j, H(ID a II ID B || N a || N b ) || Kab) II 

E(KabN a ||N b ). 

[0063] When receiving mechanism 404 receives message 508, decryptor 
412 decrypts E(K B j, H(ID A || ID B || N A || N B ) || Kab) using K B j thereby recovering 

15 H(ID A II ID B il N A || N b ) II Kab. Hash validator 416 validates H(ID A || ID B || N A || 
N B ). Decryptor 412 then decrypts E(Kab,N a || Nb) recovering N A j| Nb (step 622). 
Establishment verifier 418 establishes that node 1 10 has Kab by comparing the 
recovered Nb with the original Nb (step 624). 

[0064] After establishing that node 1 10 has Kab, establishment verifier 

20 418 creates N B || N A as proof that node 120 has Kab (step 626). Encryptor 410 
encrypts N B || N A using the shared key creating E(Kab, N b || Na). Sending 
mechanism 402 sends message 510 to node 110 (step 628). Message 510 
includes: 

IDaHIDb HE(Kab ? N b II N a ). 

25 [0065] When receiving mechanism 304 receives message 5 1 0, decryptor 

3 12 decrypts E(Kab, N b || Na) recovering N B || N A . Establishment verifier 3 1 8 
verifies that node 120 has K^ by comparing the decrypted copy of N A with the 
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original value of N A and optionally, by comparing the decrypted copy of Nb with 
the original value of Nb. 

[0066] The foregoing descriptions of embodiments of the present 
invention have been presented for purposes of illustration and description only. 
They are not intended to be exhaustive or to limit the present invention to the 
forms disclosed. Accordingly, many modifications and variations will be apparent 
to practitioners skilled in the art. Additionally, the above disclosure is not 
intended to limit the present invention. The scope of the present invention is 
defined by the appended claims. 
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